Though not new, vestibule skimming is a surging trend, and fraud expects say the industry can expect to see more incidents until financial institutions take additional measures to address security at the ATM and its surrounding access points.

"The vestibules are definitely getting hit more often," says Aite fraud analyst Julie McNelley. Criminals have found a security gap, and now they are exploiting it, she says. "They saw that the banks were proactively checking the ATM, so then they hit the vestibules."

Inside the Connecticut Case

The most recent vestibule skimming case in Connecticut sheds light on the fraudsters' methods of operation.

On May 3, the U.S. District Court of Connecticut sentenced Ion Preda to 24 months in prison imprisonment and five years of supervised release for the role he played in a multistate ATM and vestibule skimming scheme that targeted People's United Bank, PNC, Wachovia, now part of Wells Fargo, and other institutions.

According to court records, from September 2009 until his arrest in May 2010, Preda and co-defendant Marius Olustean targeted branch ATMs and ATM vestibules in Connecticut, Pennsylvania, New York and New Jersey.

In March, Olustean pleaded guilty to the same charges and was sentenced to 41 months.

With skimming devices and pinhole cameras, the two copied and collected magnetic-stripe details from cards and PINs. They then created counterfeit ATM/debit cards and fraudulently withdrew more than $200,000 from numerous bank accounts.

Preda and Olustean were linked to a September 2009 attack on a People's United Bank ATM in Madison, Conn., where they installed a PIN-capturing device. They then used cloned cards and stolen PINs to withdraw cash from compromised accounts at another People's United Bank ATM in Greenwich, Conn. In June and July 2009, the two installed skimming devices and pinhole cameras at a Wachovia ATM and PNC ATM in Philadelphia, and subsequently stole money from compromised accounts at those banks as well.

When the duo was arrested by Indiana State Police, authorities seized $1,285 in cash, laptop computers, gift cards, tools and Western Union receipts linking them to the compromised accounts.

Anti-Skimming Tech: Ineffective?

Experts say the battle against skimming - particularly ATM vestibules - is challenging for several reasons. For one, the anti-skimming technology banks and credit unions rely on is varied. Some rely on technology that alerts branch staff when the fascia of an ATM is manipulated. Others rely on transactional analytics, biometrics readers and even out-of-band authentication for ATM transactions. Few institutions focus on security for vestibule access doors.

"The one important thing here to remember is that reasonably sophisticated criminals can skim cards and PINs directly from the ATM without a vestibule door card reader as part of their modus operandi," Buzzards says. "Financial institutions can really only focus on a couple of areas to reduce their exposure to fraud scams, like vestibule card skimming."

Mike Urban, a financial fraud expert with Fiserv, a core processor that provides security services to financial institutions, agrees. In fact, Urban questions the need for vestibules. Today, they pose more security vulnerabilities than benefits.

"Vestibule skimming has been around since the '90s, and it's ongoing," Urban says. "It's an opportunistic crime, and it's much more difficult to protect. It's much more challenging to detect if something has been added to the reader, like we can at ATMs. And because data is not being recorded like it is for ATM transactions, it's also more difficult to track."

The easily copied mag-stripe poses additional concerns, says Randy Vanderhoof, executive director of the Smart Card Alliance.
"Until the U.S. issuers reach the point where their fraud losses or the expenses in mitigating further losses reach the level of where magnetic stripe fraud is no longer a cost of doing business, or banking regulations intervene, we will be seeing more cases," he says.

Card issuers will eventually migrate toward new payments technology, such as chip and PIN payments that meet security requirements of the Europay, MasterCard, Visa standard. Until then, however, institutions have to address skimming fraud in the here and now.

"This is a very high priority for financial institutions," McNelley says of recent skimming incidents. "But they can't rely on one technology or solution. They need a layered approach, one that includes a combination of policies and procedures, like regular inspections of ATMs (and vestibules)."

About the Author

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.